b'Report No. DODIG-2012-118                  August 14, 2012\n\n\n\n\n     Defense Finance and Accounting Service Needs to\n     Strengthen Procedures to Comply with the Federal\n          Financial Management Improvement Act\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Web site of the Department of\nDefense Inspector General at http://www.dodig.mil/audit/reports or contact the\nSecondary Reports Distribution Unit at auditnet@dodig.mil.\n\n\n\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing auditnet@dodig.mil, or by mail:\n\n                       Department of Defense Office of Inspector General\n                       Office of the Deputy Inspector General for Auditing\n                       ATTN: Audit Suggestions/13F25-04\n                       4800 Mark Center Drive\n                       Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\nDCPS                          Defense Civilian and Pay System\nDFAS                          Defense Finance and Accounting Service\nFFMIA                         Federal Financial Management Improvement Act\nGSA                           General Services Administration\nIG                            Inspector General\nI&T                           Information and Technology\nMOA                           Memorandum of Agreement\nOIG                           Office of Inspector General\nPIO                           Performance Improvement Opportunity\nPKI                           Public Key Infrastructure\nSAS 70                        Statement of Auditing Standards Number 70\n\x0c                                 INSPECTOR GENERAL \n\n                                DEPARTMENT OF DEFENSE \n\n                                4800 MARK CENTER DRIVE \n\n                             ALEXANDRIA, VIRGINIA 22350-1500 \n\n\n                                                                            August 14,2012\n\nMEMORANDUM FOR DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n          SERVICE\n\nSUBJECT: Defense Finance and Accounting Service Needs to Strengthen Procedures to\nComply with the Federal Financial Management Improvement Act (Report No. D-2012-118)\n\nWe are providing this report for your information and use. The Defense Finance and\nAccounting Service needs to assess the Defense Civilian Pay System\'s compliance with\napplicable Federal Financial Management Improvement Act requirements and secure access\nto two payroll offices at Indianapolis, Indiana, that process sensitive payroll information.\n\nWe considered management comments provided by the Director, Information and\nTechnology on behalf of the Dh\xc2\xb7ector, Defense Finance and Accounting Service on the draft\nof this report when prepari11g the final repmt. The Director, Information and Technology\ncomments conformed to the requirements of DoD Dh\xc2\xb7ective 7650.3; therefore, additional\ncomments are not required.\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at\n(703) 601-5945 (DSN 329-5945).\n\n\n\n\n                                              J~t.V~\n                                              LorinT. Venable, CPA\n                                               Acting Assistant Inspector General\n                                               DoD Payments and Accounting Operations\n\x0c\x0cReport No. D-2012-118 (Project No. D2011-D000FB-0116.001)                          August 14, 2012\n\t\n\n\n               Results in Brief: Defense Finance and\n               Accounting Service Needs to Strengthen\n               Procedures to Comply with the Federal\n               Financial Management Improvement Act\n\nWhat We Did                                                 What We Recommend\nWe determined whether physical security over                We recommend the Director, DFAS, consult the\nDefense Civilian Pay System (DCPS) data was                 \xe2\x80\x9cDFAS Financial Management Systems\nadequate and whether DCPS complied with the                 Requirements Manual\xe2\x80\x9d to:\nrequirements of the Federal Financial                          \xef\x82\xb7 identify the requirements that apply to\nManagement Improvement Act (FFMIA).                                DCPS,\n                                                               \xef\x82\xb7 determine which ones DCPS cannot\nWhat We Found                                                      perform, and\nThe Defense Finance and Accounting Service                     \xef\x82\xb7 develop a remediation plan to address\n(DFAS) did not perform annual or complete                          deficiencies.\nself-assessments on DCPS to determine FFMIA\ncompliance and did not develop a remediation                Management Comments and\nplan to address requirements that DCPS did not              Our Response\nmeet. This occurred because DFAS officials\n                                                            The Director, Information and Technology\nwere waiting on additional DoD guidance\n                                                            responded for the Director, DFAS. He\nbefore pursuing FFMIA compliance further.\n                                                            concurred and stated that the DCPS\nSystems that do not comply with FFMIA\n                                                            system/functional managers will conduct a self-\nrequirements restrict the ability of organizations\n                                                            assessment and identify applicable\nto consistently and accurately record the assets,\n                                                            requirements. If the self-assessment finds\nliabilities, revenues, expenses, and the full costs\n                                                            DCPS not compliant, the system manager will\nof programs and activities of the Federal\n                                                            identify required corrective actions and develop\nGovernment.\n                                                            a remediation plan to bring DCPS into\n                                                            substantial compliance. The Director,\nDFAS Officials did not secure two of four\n                                                            Information and Technology, comments were\nCivilian Pay Operations locations at\n                                                            responsive and no additional comments are\nIndianapolis with cipher locks. This occurred\n                                                            required. Please see the recommendations table\nbecause DFAS had not completed required\n                                                            on the back of this page.\nactions with the General Services\nAdministration to secure the locations. Without\nadequate controls over physical access,\nindividuals could gain unauthorized access to\ncomputers and sensitive payroll data contained\nin online files and hardcopy printouts.\n\nDuring the audit, DFAS Indianapolis funded a\nnew access control project that will establish\nlockable space and eliminate access concerns.\nDFAS Indianapolis expected to complete the\nproject by the end of FY 2012.\n\n                                                      i\n\t\n\x0cReport No. D-2012-118 (Project No. D2011-D000FB-0116.001)              August 14, 2012\n\nRecommendations Table\n\n        Management                 Recommendations          No Additional Comments\n                                   Require Comment                 Required\n\nDirector, Defense Finance and                               A.1.a, A.1.b, A.2\nAccounting Service\n\n\n\n\n                                          ii\n\t\n\x0cTable of Contents\n\nIntroduction                                                             1\n\t\n      Objectives                                                         1\n\t\n      Background                                                         2\n\t\n      Other Matters of Interest                                          2\n\t\n      Review of Internal Controls                                        2\n\t\n\nFinding A. Assessing Federal Financial Management\n\nImprovement Act Compliance                                               3\n\t\n      Federal Financial Systems Requirements                             3\n\t\n      Federal Financial Management Improvement Act Compliance\n\n               for the Defense Civilian Pay System Needed Improvement    4\n\t\n      Efforts to Determine Compliance                                    6\n\t\n      Conclusion                                                         6\n\t\n      Recommendations                                                    7\n\t\n\nFinding B. Physical Access Controls                                      8\n\t\n      Information Assurance                                              8\n\t\n      Physical Access Controls at Defense Finance and \n\n          Accounting Service, Indianapolis Needed Improvement            8\n\t\n      Management Actions                                                 9\n\t\n\nAppendices\n     A. \tScope and Methodology                                          10\n\t\n            Prior Coverage                                              10\n\t\n     B. Performance Improvement Opportunities\t\t                         12\n\t\n     C. Status of Prior Year Findings\t\t                                 13\n\t\n\nGlossary\t                                                               19\n\t\n\nManagement Comments\n\n      Defense Finance and Accounting Service\t\t                          20 \n\n\x0c\x0cIntroduction\nObjectives\nThe overall audit objectives were to determine whether the Defense Civilian Pay\nSystem\xe2\x80\x99s (DCPS) general and application controls were adequately designed and\neffective to produce reliable data and whether the DCPS substantially complied with the\nFederal Financial Management Improvement Act of 1996 (Public Law 104-208)\nrequirements and other applicable Federal and DoD information technology and\ninformation assurance policies. Appendix A discusses the audit scope and methodology,\nas well as prior audit coverage related to the audit.\n\nThis report supplements DoD Office of Inspector General Report No. D-2011-085,\n\xe2\x80\x9cDefense Civilian Pay System Controls Placed in Operation and Tests of Operating\nEffectiveness for the Period From October 1, 2010, Through April 30, 2011,\xe2\x80\x9d July 15,\n2011. The previous report concluded that controls were operating with sufficient\neffectiveness to provide reasonable, but not absolute assurance that DFAS officials\nachieved the following control objectives during the period from October 1, 2010 to\nApril 30, 2011:\n\n   \xef\x82\xb7\t An enterprise-wide security program was established, approved by management,\n      monitored and tested, and maintained.\n\n   \xef\x82\xb7\t Risk assessments were performed in accordance with applicable Federal and DoD\n      requirements, and management reviews; and addressed risks as deemed\n      appropriate by management.\n\n   \xef\x82\xb7\t Management monitored compliance with policies and procedures and addressed\n      instances of noncompliance.\n\n   \xef\x82\xb7\t Management reviewed and authorized the hiring of and periodically evaluated\n      employees with information assurance duties (staff), and out-processed\n      terminated staff in accordance with applicable Federal and DoD requirements,\n      and staff understood their documented duties.\n\n   \xef\x82\xb7\t Management authorized, tested, approved, documented, and properly \n\n      implemented changes to DCPS in accordance with management\xe2\x80\x99s defined \n\n      requirements.\n\t\n\n   \xef\x82\xb7\t Logical access to the DCPS application was granted to properly authorized\n      individuals.\n\n   \xef\x82\xb7\t DCPS computer processing was authorized and scheduled, and deviations from\n      scheduled processing were identified and resolved.\n\n\n                                           1\n\t\n\x0c   \xef\x82\xb7\t Personnel and payroll data transmitted to and from interfacing systems were\n      transferred completely, accurately, and timely.\n\n   \xef\x82\xb7\t Input data were authorized and were entered in DCPS completely and accurately.\n\n   \xef\x82\xb7\t Personnel and payroll data processed and stored at DFAS and DCPS locations\n      were authorized, complete, accurate, and timely processed, and the results of\n      processing were recorded in audit trails.\n\n   \xef\x82\xb7\t Output files were complete, accurate, and distributed in accordance with client\n      specifications.\nThis report addresses whether DCPS complied with the Federal Financial Management\nImprovement Act (FFMIA) and whether physical security over DCPS data was adequate.\n\nBackground\nThe Defense Civilian Pay System (DCPS) processes pay for approximately 1.2 million\nemployees, in accordance with existing regulatory, statutory, and financial information\nrequirements related to civilian pay entitlements and applicable policies and procedures.\nDCPS pays all DoD civilian employees except local nationals, civilian mariners, and\nthose supported by nonappropriated funds. In 1998, DCPS also began to pay personnel\nof the Executive Office of the President. As part of the 2001 President\xe2\x80\x99s Management\nAgenda e-Payroll Initiative, DCPS now processes payroll for the Departments of Energy,\nVeterans Affairs, and Health and Human Services; the Environmental Protection Agency;\nand the Broadcast Board of Governors. From a life-cycle perspective, DCPS is in the\nmaintenance phase; its system changes are usually limited to legislative and functional\nrequirements.\n\nOther Matters of Interest\nDuring the audit, we identified Performance Improvement Opportunities (PIOs) that do\nnot require formal recommendations (Appendix B). In addition, Appendix C provides a\nstatus of all prior findings and recommendations associated with DCPS over the last five\nyears.\n\nReview of Internal Controls\nDoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control Program Procedures,\xe2\x80\x9d July 29,\n2010, requires DoD organizations to implement a comprehensive system of internal\ncontrols that provides reasonable assurance that programs are operating as intended and\nto evaluate the effectiveness of the controls. DFAS did not have the following internal\ncontrols for regulatory compliance and information: a self-assessment and remediation\nprocess for FFMIA compliance, and physical security over sensitive information. We\nwill provide a copy of the report to the senior official for internal controls at the Defense\nFinancial and Accounting Service.\n\n\n\n\n                                              2\n\t\n\x0cFinding A. Assessing Federal Financial\nManagement Improvement Act Compliance\nDFAS officials did not comply with the FFMIA, as it relates to DCPS. Specifically,\nDFAS officials did not perform annual or complete self-assessments on DCPS to\ndetermine FFMIA compliance and did not develop a remediation plan to address\nrequirements not met by DCPS. This occurred because DFAS officials were waiting on\nadditional DoD guidance before pursuing FFMIA compliance further. Systems that do\nnot comply with FFMIA requirements restrict the ability of organizations to consistently\nand accurately record the assets, liabilities, revenues, expenses, and the full costs of\nprograms and activities of the Federal Government.\n\nFederal Financial Systems Requirements\nIn 1996, Congress enacted the FFMIA (Public Law 104-208), which requires each\nagency to implement and maintain financial management systems that comply\nsubstantially with Federal financial management systems requirements, applicable\nFederal accounting standards, and the United States Government Standard General\nLedger at the transaction level.\n\nOffice of Management and Budget Circular No. A-127, \xe2\x80\x9cFinancial Management\nSystems,\xe2\x80\x9d January 9, 2009, implemented the FFMIA. The Circular requires that agencies\nperform an annual review of their financial management systems to verify compliance\nwith computer security and internal controls. If agencies do not use a system certified by\nthe Financial Systems Integration Office, then the agencies may also be required to\nperform self-assessments of their core financial system. In addition, agencies must\nprepare a plan for their financial management systems that:\n\n   \xef\x82\xb7\t describes the existing financial management system architecture, and any changes\n      needed to implement a targeted architecture, and\n   \xef\x82\xb7\t identifies projects necessary to achieve FFMIA substantial compliance within\n      three years from the date of noncompliance.\n\nDFAS\xe2\x80\x99s \xe2\x80\x9cFinancial Management Systems Requirements Manual,\xe2\x80\x9d (more commonly\nknown as the Blue Book) is a comprehensive compilation of Federal and DoD financial\nmanagement system requirements, as mandated by FFMIA. The requirements in the\nBlue Book document are applicable to accounting and finance systems operated and\nmaintained by DFAS as well as \xe2\x80\x9cfeeder\xe2\x80\x9d systems owned by the Military Services and\nDoD Components. The manual outlines specific requirements that DoD systems must\nsatisfy to meet financial management requirements. The Blue Book identifies both the\nspecific requirement, as well as the authoritative source of the requirement, and assists\nmanagers (who are responsible for financial management systems) in planning,\ndesigning, enhancing, modifying, and implementing financial management systems.\nManagers are ultimately responsible for being knowledgeable of and complying with the\nvarious authoritative sources of financial requirements (both legislative and regulatory).\n\n                                            3\n\t\n\x0cFederal Financial Management Improvement Act\nCompliance for the Defense Civilian Pay System Needed\nImprovement\nDFAS officials did not perform annual or complete self-assessments on DCPS to\ndetermine FFMIA compliance and did not develop a remediation plan to address\nrequirements that DCPS did not meet.\n\nBlue Book Requirements for DCPS Needed to be Reassessed\nDFAS officials had not performed annual self-assessments to determine whether DCPS\nwas compliant with current Blue Book requirements. DFAS officials performed the most\n                                      recent self-assessment in 2009. DCPS is an\n   DFAS Officials performed the\n                                      entitlement system that provides pay and leave\n   most recent self-assessment in\n                                      information to other financial systems to create\n               2009.\n                                      reports, reconcile balances, deposit funds, provide\ninformation for core accounting systems to update their General Ledgers, and perform\ncost analysis. DCPS is also the payroll system for 5 of the 24 Agencies subject to the\nChief Financial Officer\xe2\x80\x99s Act. DCPS also feeds an additional nine DoD financial\nstatements required by the Office of Management and Budget. DFAS officials identified\nthree volumes in the Blue Book that applied to DCPS in 2009:\n\n   \xef\x82\xb7   Volume 2 \xe2\x80\x93 Financial Reporting\n   \xef\x82\xb7   Volume 7 \xe2\x80\x93 Personnel Pay\n   \xef\x82\xb7   Volume 14 \xe2\x80\x93 Audit Trails and System Controls\n\nHowever, DFAS updated the Blue Book three times since 2009. The January and May\n2011 Blue Book updates added six new requirements (Requirement Identification\nNumbers 07.01.074, 07.06.086 through 07.06.089, and 07.08.006) to Volume 7 that\nDFAS officials should have assessed to determine applicability. In addition, although\nVolumes 2, 7, and 14 contained the majority of requirements applicable to DCPS, the\nJanuary 2011 update included a new requirement (Requirement Identification Number\n01.02.017) in Volume 1 that was also relevant:\n\n              The Standard Financial Information Structure [SFIS] is required for \xe2\x80\x9call\n              target and legacy business feeder systems that will interface with a\n              target system, as identified in the Enterprise Transition Plan that\n              support financial transactions.\xe2\x80\x9d\n\n\n\n\n                                                 4\n\t\n\x0cDCPS is a legacy business feeder system that will be part of DoD\xe2\x80\x99s business enterprise\narchitecture. Accordingly, DCPS should be capable of feeding SFIS compliant data to\n                                      agency systems that it supports (DoD and other\n    A thorough review of current      federal agencies). Systems that do not comply\n    Blue Book requirements will       with FFMIA requirements restrict the ability of\n   enable DFAS officials to assess    organizations to consistently and accurately record\n    whether DCPS substantially        the assets, liabilities, revenues, expenses, and the\n       complies with FFMIA.           full costs of programs and activities of the Federal\n                                      Government. A thorough review of current Blue\nBook requirements will enable DFAS officials to assess whether DCPS substantially\ncomplies with FFMIA.\n\nDFAS Officials Needed to Update DCPS Self-Assessment\nDFAS officials did not perform complete self-assessments. The 2009 self-assessment\nindicated that DCPS was compliant with 82 of 94 system requirements. However, for\n                                         five system requirements (Requirement\n       \xe2\x80\xa6 DFAS officials did not          Identification No. 14.01.01, 14.02.52, 14.02.54,\n    determine whether DCPS was           14.02.55, and 14.04.09), DFAS officials did not\n     compliant, not compliant, or        determine whether DCPS was compliant, not\n    even whether the requirements        compliant, or even whether the requirements were\n      were applicable to DCPS.           applicable to DCPS. For example, Requirement\n                                         Identification No. 14.01.01 called for the system\nto generate an audit trail of transactions recorded as a document moves from the source\nthrough all document statuses. However, the self-assessment did not indicate whether\nDCPS did or did not comply with the requirement.\n\nIn addition, the self-assessment indicated that DCPS did not meet the requirement to use\nPublic Key Infrastructure (PKI) certificates and biometrics for positive authentication\n(Requirement Identification No. 14.04.04). However, DFAS officials did not prepare a\nremediation plan that would address the non-compliance. The self-assessment stated that\nDCPS was a legacy system that did not use PKI and that DCPS employed user ID,\npassword authentication, and regular monitoring, which are not substitutes for PKI.\nDoD\xe2\x80\x99s implementation of PKI uses two-factor authentication. Requiring two factors of\nauthentication \xe2\x80\x93 \xe2\x80\x9csomething you know,\xe2\x80\x9d such as a Personal Identification Number and\n\xe2\x80\x9csomething you have,\xe2\x80\x9d such as a PKI-enabled Common Access Card \xe2\x80\x93 is called two-\nfactor authentication. Two-factor authentication is a proven method for decreasing\nintrusions and other types of security breaches by ensuring that stolen user names and\npasswords are insufficient to gain access to networks.\n\nLastly, the self-assessment indicated that DCPS complied with the requirement to\nproduce the reports and vouchers necessary to recognize payroll expenses, establish\nrelated receivables, and disburse all related payments to produce supporting detail\nregisters or subsidiary ledgers (Requirement Identification No. 07.06.28). However, the\nself-assessment stated that although DCPS produced an automated file to accomplish\ndisbursements and Treasury reporting, the file \xe2\x80\x9c[did] not meet all of the requirements that\nthe accounting systems [had] developed.\xe2\x80\x9d Consequently, DCPS may not have been fully\n\n                                             5\n\t\n\x0ccompliant with the requirement. DFAS officials should reassess whether DCPS fully\nmeets this payroll system requirement.\n\nFFMIA Compliance for DCPS Has Been a Long-Standing Issue\nThe DoD Inspector General (DoD OIG) issued three reports in prior years related to\nproblems with completing DCPS self-assessments. These reports demonstrate long-\nstanding difficulties that DFAS officials encountered while assessing DCPS compliance\nwith FFMIA:\n\n   \xef\x82\xb7\t DoD OIG Report No. D2010-074, \xe2\x80\x9cInformation Assurance Controls for the\n      Defense Civilian Pay System for FY 2009,\xe2\x80\x9d August 2, 2010, stated that DCPS did\n      not comply with FFMIA because DFAS did not test the mandatory requirements.\n      During the audit, DFAS was still in the requirements analysis stage of the\n      compliance process;\n   \xef\x82\xb7\t DoD OIG Report No. D-2006-074, \xe2\x80\x9cTechnical Report on the Defense Civilian\n      Pay System General and Application Controls,\xe2\x80\x9d April 12, 2006, stated that the\n      DCPS Systems Management Office did not assess compliance since FY 2000\n      because they were waiting on direction from DFAS Headquarters; and\n   \xef\x82\xb7\t DoD OIG Report No. D-2005-069, \xe2\x80\x9cInformation System Security: Audit of the\n      General and Application Controls of the Defense Civilian Pay System,\xe2\x80\x9d May 13,\n      2005, concluded that the self-assessment had been completed using outdated\n      guidance.\n\nDFAS officials need to update the self-assessment using the current Blue Book\nrequirements and make a determination on whether DCPS is compliant with each\nrequirement that applies to the DCPS operating environment. Once the assessment is\nupdated and complete, DFAS officials should prepare a remediation plan for instances of\nnon-compliance.\n\nEfforts to Determine Compliance\nDFAS Information and Technology (I&T) personnel stated that they were waiting for\nDepartment-wide guidance to implement remediation plans through DFAS participation\nin DoD\xe2\x80\x99s Financial Improvement Audit Readiness initiative. At a minimum, however,\nDFAS officials needed to complete annual self-assessments and identify the projects\nneeded to achieve FFMIA substantial compliance within three years.\n\nConclusion\nDCPS is the payroll system for 5 of the 24 Agencies subject to the Chief Financial\nOfficer\xe2\x80\x99s Act. DCPS also feeds an additional nine DoD financial statements required by\nthe Office of Management and Budget. Systems that do not comply with FFMIA\nrequirements restrict the ability of organizations to consistently and accurately record the\nassets, liabilities, revenues, expenses and the full costs of programs and activities of the\nFederal Government.\n                                             6\n\t\n\x0cRecommendations, Management Comments and Our\nResponse\nWe recommend that the Director, Defense Finance and Accounting Service:\n\nA.1. Perform an annual review of the Defense Civilian Pay System, as required by\nOffice of Management and Budget Circular No. A-127, to:\n\n   a. Determine which Blue Book requirements apply to the Defense Civilian Pay\n      System.\n   b. Determine which of the Blue Book requirements that apply to the Defense\n      Civilian Pay System, cannot be performed.\n\nDefense Finance and Accounting Service Comments\nThe Director, I&T, responded for the Director, DFAS. He concurred and stated that the\nDCPS system/functional managers will conduct a self-assessment and identify applicable\nrequirements. The Director, I&T indicated that the estimated completion date for the\nself-assessment review is August 31, 2012.\n\nOur Response\nThe Director, I&T, comments on Recommendations A.1.a and A.1.b were responsive,\nand no additional comments are required.\n\nA.2. Develop a remediation plan to address the requirements that Defense Civilian\nPay System cannot perform.\n\nDirector, Information and Technology Comments\nThe Director, I&T, concurred and indicated that if the self-assessment finds DCPS not\ncompliant, the system manager would identify required corrective actions and develop a\nremediation plan to bring DCPS into substantial compliance. The Director, I&T,\nindicated that the estimated completion date for developing a remediation plan is\nSeptember 30, 2012.\n\nOur Response\nThe Director, I&T, comments were responsive, and no additional comments are required.\n\n\n\n\n                                           7\n\t\n\x0cFinding B. Physical Access Controls\nDFAS Indianapolis personnel did not secure two of four Civilian Pay Operations\nlocations at Indianapolis with cipher locks. This occurred because DFAS Indianapolis\npersonnel had not completed required actions with the General Services Administration\n(GSA) to secure the locations. Without adequate controls over physical access,\nindividuals could gain unauthorized access to computers and sensitive payroll data\ncontained in online files and hardcopy printouts.\n\nInformation Assurance\nDoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d February 6, 2003,\nimplements the policies outlined in DoD Instruction 8500.1 by assigning responsibilities,\nand prescribing procedures for applying integrated, layered protection of the DoD\ninformation systems and networks. DoD Directive 8500.1 defines information assurance\nas measures that protect and defend information and information systems by ensuring\ntheir availability, integrity, authentication, confidentiality, and nonrepudiation. These\nmeasures include providing for restoration of information systems by incorporating\nprotection, detection, and reaction capabilities. The instruction requires DoD to assess\ninformation systems regularly for information assurance vulnerabilities and implement\nappropriate solutions to eliminate or otherwise mitigate identified vulnerabilities.\n\nPhysical Access Controls at Defense Finance and\nAccounting Service, Indianapolis, Needed Improvement\nDFAS Indianapolis did not secure two of four Civilian Pay Operations locations with\ncipher locks. DoD Instruction 8500.2 requires every physical access point to facilities\n                                      housing workstations that process or display\n      \xe2\x80\xa6office spaces at DFAS          sensitive information or unclassified information\n       Indianapolis remained          that has not been cleared for release be controlled\n     unsecured during our most        during working hours and guarded or locked\n            recent audit.             during non-work hours. Although this deficiency\n                                      was identified in two prior reports (D2009-001,\n\xe2\x80\x9cInformation Assurance Controls for the Defense Civilian Pay System,\xe2\x80\x9d dated October 7,\n2008; and D2010-074, \xe2\x80\x9cInformation Assurance Controls for the Defense Civilian Pay\nSystem for FY 2009,\xe2\x80\x9d dated August 2, 2010), the office spaces at DFAS Indianapolis\nremained unsecured during our most recent audit. Securing all locations with cipher\nlocks would reduce the risk that unauthorized individuals could:\n   \xef\x82\xb7   gain access to sensitive payroll data contained in hardcopy print outs and online\n       files,\n   \xef\x82\xb7   obtain personally identifiable information for personal gain or introduce malicious\n       code into DCPS, and\n   \xef\x82\xb7   obtain logical access to computer workstations used by Civilian Pay Operations\n       employees to access DCPS.\n\n\n\n                                            8\n\t\n\x0cManagement Actions\nWe recognize that the payroll offices in Indianapolis were located in a Federal building\nand to install cipher locks required coordination between DFAS Indianapolis (the tenant)\n                                         and GSA (the owner of the building with\n    DFAS officials provided funds        responsibility for building maintenance). DFAS\n       to GSA for a new Access           Indianapolis officials provided funds to GSA for a\n       Control project that will         new Access Control project that will establish\n    establish lockable space in all      lockable space in all areas and will consolidate\n                 areas.                  Civilian Pay Operations to eliminate access\n                                         concerns. DFAS Indianapolis expected to\ncomplete the project by the end of FY 2012. DFAS Indianapolis officials also stated that\nuntil the Access Control project is complete, Civilian Pay Operations has established\ninterim internal controls such as visitor logs, mandatory visitor escorts, and signage\nstating \xe2\x80\x9cAuthorized Personnel Only.\xe2\x80\x9d Because we believe the management actions\ndescribed above were sufficient, we made no recommendations associated with the\naccess control issues identified in this report.\n\n\n\n\n                                             9\n\t\n\x0cAppendix A. Scope and Methodology\nWe conducted this performance audit from January 2011 to May 2012, in accordance\nwith generally accepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and\nconclusions, based on our audit objectives.\n\nWe assessed the design and operating effectiveness of the DCPS controls at three DFAS\norganizations. We developed audit procedures to test DCPS general and application\ncontrols using the Government Accountability Office Federal Information System\nControls Audit Manual methodology and procedures prescribed in DoD Instruction\n8500.2. In addition, we separated audit procedures into the following areas:\n\n   \xef\x82\xb7\t General Computer Controls. These controls include the structure, policies, and\n      procedures that apply to an entity\xe2\x80\x99s overall computer operations. General\n      computer controls consist of entity-wide security management, access controls,\n      configuration management, and segregation of duties.\n   \xef\x82\xb7\t Application Controls. These controls directly relate to individual applications\n      and are designed to ensure that transactions are valid, properly authorized, and\n      completely and accurately processed and reported. Application controls include\n      programmed control techniques, such as automated edits, and manual follow-up\n      of computer-generated reports, such as reviews of reports identifying rejected or\n      unusual items.\nWe interviewed personnel at DFAS I&T in Indianapolis, Indiana, and DFAS payroll\noffices in Cleveland, Ohio, and Indianapolis, Indiana. We reviewed general and\napplication controls in place only at DFAS organizations. We did not review application\ncontrols at any other payroll office or customer organization.\nWe did not review general controls performed by the Defense Information Systems\nAgency that provided direct or indirect administration and support of the operating\nenvironment used to host DCPS.\nWe did not test controls covering the originating systems that interface with DCPS.\nControls at DCPS customer organizations were not included within the scope of this\naudit.\n\nUse of Computer-Processed Data\nWe did not rely on computer-processed data to perform this audit.\n\nPrior Coverage\nDuring the last 5 years, the DoD IG has issued 6 reports discussing DCPS general and\napplication controls. Unrestricted DoD IG reports can be accessed at\nhttp://www.dodig.mil/audit/reports.\n\n\n                                           10\n\t\n\x0cDoD IG Report No. D-2011-085 \xe2\x80\x9cDefense Civilian Pay System Controls Placed in\nOperation and Tests of Operating Effectiveness for the Period From October 1, 2010,\nThrough April 30, 2011,\xe2\x80\x9d July 15, 2011\nDoD IG Report No. D-2010-074, \xe2\x80\x9cInformation Assurance Controls for the Defense\nCivilian Pay System for FY 2009,\xe2\x80\x9d August 2, 2010\nDoD IG Report No. D-2010-071 \xe2\x80\x9cDefense Civilian Pay System Controls Placed in\nOperation and Tests of Operating Effectiveness for the Period From October 1, 2009,\nThrough April 30, 2010,\xe2\x80\x9d July 2, 2010\nDoD IG Report No. D-2009-119, \xe2\x80\x9cDefense Civilian Pay System Controls Placed in\nOperation and Tests of Operating Effectiveness for the Period From October 1, 2008,\nThrough June 30, 2009,\xe2\x80\x9d September, 30, 2009\nDoD IG Report No. D-2009-001, \xe2\x80\x9cInformation Assurance Controls for the Defense\nCivilian Pay System,\xe2\x80\x9d October 7, 2008\nDoD IG Report No. D-2007-096, \xe2\x80\x9cInformation Assurance Controls for the Defense\nCivilian Pay System,\xe2\x80\x9d May 14, 2007\n\n\n\n\n                                          11\n\t\n\x0cAppendix B. Performance Improvement\nOpportunities\nWe identified several PIOs during our review of DCPS. Implementation of these\nopportunities would allow DFAS to strengthen existing procedures and operational\npractices and gain additional process efficiencies. These observations are PIOs and we\nwill not issue formal recommendations to DFAS.\n\nFormal Termination and Transfer Account Deletion\nProcedures\nDFAS Cleveland lacked formal termination and transfer procedures that established\nresponsibilities and timeframes for terminating the access of Civilian Pay employees who\nleave or transfer from Civilian Pay. Although communication did occur between Human\nResources and Civilian Pay, formalized procedures would help ensure that DFAS\npersonnel timely and consistently remove access from all terminated and transferred\nemployees.\n\nDCPS Listing of Edit Checks\nDFAS I&T DCPS system documentation contained a listing of application edits that\nincluded an outdated edit check no longer used by DCPS in the production environment.\nBy maintaining a current listing of DCPS edit checks, DFAS I&T management would be\nbetter equipped to manage DCPS in an effective and efficient manner. Although there\nare no requirements, DFAS management should consider updating and maintaining\nDCPS system documentation to include a current listing of all DCPS edit checks.\n\n592 Balancing Instructions\nDFAS management had not updated DFAS 592 Balancing Instructions to include the\nsupervisory review procedures, and the signatures and dates that were included on the\n592 Reconciliations. Up-to-date 592 Balancing Instructions would help ensure that\nsupervisors properly review, sign, and date the 592 Reconciliations. Although there are\nno requirements, DFAS management should consider updating and maintaining the\n592 Balancing Instructions to include the supervisory review procedures and the\nsignatures and dates that were included on the 592 Reconciliations.\n\n\n\n\n                                           12\n\t\n\x0cAppendix C. Status of Prior Year Findings\nThe following table describes the status of all prior year findings that were open as of the initiation of the current year\xe2\x80\x99s audit.\n\n Original\nFiscal Year\n                Recommendation                                                              Open/\n  Finding                                           Finding Description                                              Management Response\n                   Number1                                                                  Closed\n   Was\n Reported\n                                      DFAS Standards and Compliance Division,                          Management agreed with the exception in theory\n                                      which is responsible for monitoring control                      but provided clarity that DFAS tracks ONLY to\n                                      weaknesses and process issues identified in audits               recommendations that are included in a technical\n                                      and self-assessments, did not track audit issues                 report for SAS 70 and the same is applied for all\n                                      identified during the prior-year SAS 70 audit.                   other audits internal and external. To remediate this\n    2010               N/A                                                                  Closed\n                                                                                                       exception, management will ensure going forward\n                                                                                                       that we track to the draft SAS 70 report on issuance.\n                                                                                                       Additionally, management believes this is an\n                                                                                                       isolated incident and the control is working as\n                                                                                                       intended.\n\n                                      DFAS Human Resources could not provide an                        Management agreed with the exception, but in order\n                                      Out-Processing Checklist for one of two                          to remediate this exception, management will work\n                                      employees who separated from DFAS Cleveland                      with DFAS Human Resources to ensure we have a\n    2010               N/A                                                                  Closed\n                                      during the examination period.                                   defined process for ensuring all Out-Processing\n                                                                                                       Checklists, both online and manual, are retained for\n                                                                                                       separated employees.\n\n                                      DFAS Saufley2 did not sufficiently evidence the                  Management agreed that additional follow-up is\n    2010               N/A            follow-up for 6 of 35 database or interface file      Closed     needed. The standard operating procedures for the\n                                      data changes that were identified as unsupported                 Data Manipulation Language Online audit are being\n                                      by a valid change request during database and                    updated to include this additional level of review.\n\n\n\n1\n  Findings marked as \xe2\x80\x98Not Applicable\xe2\x80\x99 (N/A) were exclusively reported in prior year Statement on Auditing Standards No. 70 (SAS 70) and, as such, did not\ninclude a corresponding recommendation\n2\n  I&T organizations that administered DCPS were located at Saufley Field in Pensacola, Florida, prior to their move to Indianapolis, Indiana during the period\nOctober through December 2010. These organizations were commonly referenced within prior year audit reports as \xe2\x80\x9cDFAS Saufley.\xe2\x80\x9d\n\n                                                                               13\n\t\n\x0c Original\nFiscal Year\n              Recommendation                                                        Open/\n  Finding                                    Finding Description                                           Management Response\n                 Number1                                                            Closed\n   Was\n Reported\n                               interface file change reviews performed for the               That update will include a reconciliation of the\n                               months of October, November, and December                     supervisor\xe2\x80\x99s comments to ensure every entry has\n                               2009 and January 2010.                                        been addressed and the action taken.\n\n                               DFAS Saufley did not ensure that all parties that             Management agreed with the finding. DFAS\n                               are required to sign the DD 2875 user access                  Saufley created a new DD 2875 as soon as the\n                               form also annotated the date that they signed the             employee returned to work.\n   2010            N/A                                                              Closed\n                               form, as required. Specifically, for 1 of 36\n                               sampled DCPS users, the information owner did\n                               not annotate the date that he/she signed the form.\n\n                               DFAS Saufley had implemented a privileged user                Management agreed with the finding. Based on last\n                               access recertification process that does not                  year\'s audit report, DFAS took action to improve\n                               require supervisors to evidence the specific user             this review process by capturing and enforcing\n                               account(s) that they are recertifying.                        responses from management; however, the current\n   2010            N/A                                                              Closed\n                               Additionally, DFAS Saufley had not                            process does include the formal review of user\n                               implemented a process to validate that it                     identifications and their associated access.\n                               periodically recertified each privileged user\n                               account.\n\n                               DFAS Indianapolis used a manually maintained                  Management agreed that this is not a system-\n                               list of users to perform supervisory reviews of               generated list. This is a quarterly review and not a\n                               Civilian Pay employees with access to DCPS                    requirement or mandate. This is an additional\n   2010            N/A                                                              Closed\n                               rather than system-generated user access listings.            control to the monthly DCPS audit reviews that the\n                                                                                             Indianapolis Payroll Office instituted, because of\n                                                                                             last year\'s SAS 70 report.\n\n\n\n\n                                                                        14\n\t\n\x0c Original\nFiscal Year\n                Recommendation                                                                 Open/\n  Finding                                            Finding Description                                              Management Response\n                   Number1                                                                     Closed\n   Was\n Reported\n                                      DFAS Saufley has not consistently documented                      Management agreed with the exception in that\n                                      Memorandums of Agreement (MOAs) with                              MOAs are not consistently documented to identify\n                                      customers to include the interface file type and                  the transmission type and the frequency of files sent\n                                      frequency of files sent and received. Specifically,               and received. To remediate this exception,\n                                      of 28 customer MOAs inspected:                                    management is in the process of updating the\n    2010               N/A                                                                     Open3    MOAs.\n                                      \xef\x82\xb7   4 did not identify the frequency of files sent\n                                          and received, and\n                                      \xef\x82\xb7   2 contained signatures obtained more than 3\n                                          years ago, thus rending the MOAs expired.\n\n                                      DFAS Saufley could not provide a consolidated                     The DCPS Interface Specification is a 1,100+ page\n                                      listing of all of the data transmission                           consolidated view of all user data formatting\n                                      completeness edit checks required by the service                  requirements for the 100+ types of DCPS interfaces\n                                      auditor in order to test the suitability of the design            and is systematically updated, as a DCPS\n                                      of the edit checks. As a result, the service auditor              configured item with every quarterly release. "Edits\n                                      could not test the design or operating                            and validations" as defined by the audit team are at\n                                      effectiveness of the data transmission                            a level of detail beyond the existing DCPS Interface\n                                      completeness edit checks or the corresponding                     Specification. Based on estimates of the scope of\n    2010               N/A            reviews performed by personnel at DFAS Saufley           Closed   the task and level of effort, management determined\n                                      that rely on the outputs of the edit checks.                      that defining all completeness checks and program\n                                                                                                        edits/validations for 100+ interfaces for a very large\n                                                                                                        system such as DCPS - with often multiple pre-\n                                                                                                        processing and post-processing steps - has been cost\n                                                                                                        prohibitive. This year\xe2\x80\x99s audit did, however, address\n                                                                                                        testing of 20+ file completeness edits for 2 of the\n                                                                                                        most critical DCPS interfaces \xe2\x80\x93 Source Data\n                                                                                                        Automation and Personnel Data System - with no\n\n\n3\n  In our most recent report (DoD IG Report No. D-2011-085, Defense Civilian Pay System Controls Placed in Operation and Tests of Operating Effectiveness for\nthe Period October 1, 2010 through April 30, 2011) we noted that this finding was still open. Of 27 MOAs selected for testing, one did not identify the\ntransmission type of the files sent and/or received, three did not identify the frequency of files sent and received, and four contained signatures obtained more\nthan three years ago.\n\n                                                                                  15\n\x0c Original\nFiscal Year\n              Recommendation                                                         Open/\n  Finding                                    Finding Description                                            Management Response\n                 Number1                                                             Closed\n   Was\n Reported\n                                                                                              exceptions noted.\n\n                               DFAS Cleveland technicians did not record their                Management agreed with the exception that\n                               initials and review dates for 1 of 24 Thrift                   annotations evidencing technician review for one\n                               Savings Plan (TSP) error reports inspected for                 TSP report were not present. In order to remediate\n   2010            N/A         testing.                                              Closed   this exception, management will ensure technicians\n                                                                                              annotate the TSP reports, as required. Additionally,\n                                                                                              management believes this is an isolated incident and\n                                                                                              the control is working as intended.\n\n                               DFAS Saufley did not sufficiently document the                 Management agreed that existing interface\n                               required destination for 44 of 45 sampled                      documentation does not consistently identify\n                               outgoing file transfers. Specifically, DFAS                    specific technical destinations (e.g., IP address,\n                               Saufley was unable to provide evidence of the                  remote host name) as reflected in the DCPS table\n                               intended destination (i.e., DCPS Action Request                data provided for audit review. Direct traceability\n                               or e-mail) for 18 of the 45 outgoing file transfers            from a technical destination in a table entry to an\n                               selected for testing. Additionally, the destination            originating customer request has not been a DCPS\n                               within the documentation provided by the client                system requirement to date. While the DCPS\n   2010            N/A         did not match the destination within the file         Closed   project does monitor production jobs to ensure\n                               transfer table for 26 of the remaining outgoing                successful completion of outgoing file transfers,\n                               file transfers selected for testing.                           customers/end users of the data historically provide\n                                                                                              additional control measures to ensure receipt. Full\n                                                                                              remediation - to include changes in DCPS transfer\n                                                                                              table formats and direct customer contacts/reviews\n                                                                                              for the approx 6,800 physical file transfers in this\n                                                                                              interface population - would constitute a significant\n                                                                                              new workload and investment of DFAS resources.\n\n\n\n\n                                                                         16\n\t\n\x0c Original\nFiscal Year\n              Recommendation                                                           Open/\n  Finding                                      Finding Description                                            Management Response\n                 Number1                                                               Closed\n   Was\n Reported\n                                 DFAS Cleveland did not reconcile the 592                       Management agreed with the exception. However,\n                                 checklist to the Report of Withholdings and                    the exception was found and corrected prior to the\n                                 Contributions for Health Benefits, Life Insurance,             SAS 70 review by adding a formula to the checklist.\n                                 and Retirement Reports for 1 of 24 592                Closed   No further problems were identified after that time,\n                                 reconciliations. However, the unreconciled items               and the 592 certification was in balance. To correct\n                                 did balance, and as a result, the 592 certification            the exception, DFAS Cleveland is developing\n   2010            N/A           was correct.                                                   individual spreadsheets and eliminating the monthly\n                                                                                                carry-forward process.\n                                 DFAS Cleveland did not reconcile the 592\n                                 checklist to the TSP Certification of Transfer for    Closed\n                                 6 of 24 592 reconciliations. However, the\n                                 unreconciled items did balance, and as a result,\n                                 the 592 certification was correct.\n\n                                 DFAS Saufley did not clearly distinguish                       This is a PIO and not a finding; therefore, no\n   2010       Technical Report   transfers from separations on the separations         Closed   management responses were required\n                                 report.\n\n                                 DFAS Saufley did not have a process to establish               This is a PIO and not a finding; therefore, no\n   2010       Technical Report   criteria for determining the criticality of DCPS      Closed   management responses were required\n                                 interfaces.\n\n                                 DFAS Cleveland\xe2\x80\x99s payroll technicians did not                   This is a PIO and not a finding; therefore, no\n   2010       Technical Report   start with blank 592 reconciliation checklists each   Closed   management responses were required\n                                 pay period.\n\n                                 DFAS Indianapolis did not require supervisor                   This is a PIO and not a finding; therefore, no\n   2010       Technical Report   sign-off evidencing supervisor review of the TSP      Closed   management responses were required\n                                 error report.\n\n                                 DFAS Indianapolis did not require annotations on               This is a PIO and not a finding; therefore, no\n                                 the Duplicate Social Security Number report                    management responses were required\n   2010       Technical Report                                                         Closed\n                                 regarding issues requiring payroll technician\n                                 follow-up action.\n\n\n                                                                           17\n\t\n\x0c Original\nFiscal Year\n              Recommendation                                                         Open/\n  Finding                                    Finding Description                                           Management Response\n                 Number1                                                             Closed\n   Was\n Reported\n                               DFAS management did not implement standard                     The DFAS Director agreed with the\n                               operating procedures to include payroll input                  recommendations and stated that DFAS would\n                               processing procedures. Specifically, DFAS                      provide guidance and procedures for reviews and\n                               Indianapolis did not document procedures for                   follow-ups for the Personnel Interface Message\n                               performing reviews and related follow-ups for the              Report by October 1, 2010, and that it had\n   2009            E.4         Personnel Interface Message Report and the New        Closed   implemented supervisory reviews of the New Hires\n                               Hire Suspense Report. In addition, at DFAS                     report.\n                               Cleveland, the New Hire Suspense Report\n                               desktop procedures did not include review\n                               procedures and did not require supervisory\n                               review of the report.\n\n                               The DFAS and Defense Information System                        The DFAS Director agreed with the\n                               Agency\xe2\x80\x99s certification and accreditation packages              recommendations and stated that DFAS included\n                               did not contain specific supporting                            validation documentation to the DCPS certification\n                               documentation for each applicable DoD                          and accreditation package on July 13, 2010.\n                               Instruction 8500.2 control. According to\n                               National Institute of Standards and Technology\n   2009           A.1.a        Special Publication 800-37, the security              Closed\n                               accreditation package should include the results\n                               of the security certification and provide the\n                               authorizing official with the essential information\n                               needed to make a credible, risk-based decision on\n                               whether to authorize operation of the information\n                               system.\n\n\n\n\n                                                                        18\n\t\n\x0c                                     Glossary\n\t\nApplication - software program that performs a specific function directly for a user and\ncan be executed without access to system control, monitoring, or administrative\nprivileges. Examples include office automation, electronic mail, Web services, and\nmajor functional or mission software programs.\n\nAvailability - timely, reliable access to data and information services for authorized\nusers.\n\nConfidentiality - assurance that information is not disclosed to unauthorized entities or\nprocesses.\n\nData - representation of facts, concepts, or instructions in a formalized manner suitable\nfor communication, interpretation, or processing by humans or by automatic means. Any\nrepresentations, such as characters or analog quantities, to which meaning is or might be\nassigned.\n\nInformation Assurance (IA) - measures that protect and defend information and\ninformation systems by ensuring their availability, integrity, authentication,\nconfidentiality, and nonrepudiation. This includes providing for restoration of\ninformation systems by incorporating protection, detection, and reaction capabilities.\n\nIntegrity - quality of an information system reflecting the logical correctness and\nreliability of the operating system; the logical completeness of the hardware and software\nimplementing the protection mechanisms; and the consistency of the data structures and\noccurrence of the stored data. Note that in a formal security mode, integrity is interpreted\nmore narrowly to mean protection against unauthorized modification or destruction of\ninformation.\n\nNonrepudiation - assurance that the sender of data receives proof of delivery and the\nrecipient receives proof of the sender\'s identity, so neither can later deny having\nprocessed the data.\n\nSensitive Information - information for which the loss, misuse, unauthorized access to,\nor modification of could adversely affect the national interest or the conduct of Federal\nprograms, or the privacy to which individuals are entitled, but which has not been\nspecifically authorized under criteria established by Executive order or an Act of\nCongress to be kept secret in the interest of national defense or foreign policy. Examples\nof sensitive information include, but are not limited to, information in DOD payroll,\nfinance, logistics, and personnel management systems.\n\n\n\n\n                                            19\n\t\n\x0cDefense Finance and Accounting Service Comments \n\n\n\n\n                       DEFENSE FINANCE AND ACCOUNTING SERVICE\n                                     ARLINGTON\n                                      1851 SOUTH BELL STREET\n                                     ARLINGTON , VA 22240\xc2\xb7 5291\n\n\n\n\n      DFAS-ZT\n\n      MEMORANDUM F OR THE DOD INSPECTOR GENERAL\n\n      SUBJECT: Defense Finance and Accmmting Service Needs to Strengthen Procedmes to Comply\n               with the Federal Financial Management Improvement Act (Project No. D20ll\xc2\xad\n               DOOOFB-0116.001)\n\n\n           Attached are management comme~ed completion dates\n      for subject report. My point of contact is- - - -\n\n\n\n\n                                                   Jerry S. Hinton\n                                                   Ditector, Information and Technology\n\n      Attachment:\n      As stated\n\n\n\n\n                                              W\\IIW.dfas.mil\n                                      Your Financial Partner @   War~\n\n\n\n\n                                                                 20\n\x0cDefense Finance and Accounting Service Comments \n\n\n\n\n\n                 Defense Finance and Accounting Service Need s to Strengthen Procedures to\n                     Comply with the Federal Financial Management lmpt\xe2\x80\xa2onment Act\n                                   (Project No. D2011- DOOOFB-Oll6.00l )\n\n\n\n      We recommend that the Director. Defense Finance and Accounting Service:\n\n      A. I. Perfom1 an annual review of the Defense Civilian Pay System. as required by\n      Office of Management and Budget Circu lar No. A-1 27, to:\n\n      a. Determine which Blue Book requirements apply to the Defense Civilian Pay\n      Syst~m .\n\n\n      b. Detenuine which of the Blue Book requiremo:nts that apply to the Def.:nse\n      Civilian Pay System. cannot be perfonm:d.\n\n      Management Response: Concur\n\n      DCPS System/Functional Managers will conduct a Self Assessment Review and identify\n      applicable requirements. Estimated Completion Date: August 3 1. 20 12\n\n      A.2. Develop a remediation plan to address the r<:quir<:ments that Defense Civilian Pay\n      System cannot perfonn.\n\n      Managcml\'nf Response: lfDCPS is found not to be compliant. the System Manager will\n      identify requir.!d corrective actions and develop a remediation plan to bring DCPS into\n      s ubstantial compliance. Estinmted Completion Date: September 30. 2012.\n\n\n\n\n                                                                  21\n\x0c\x0c'